| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 67a3d3b0db462949ebcc07f9b7c45559a29fde1f.
Keeping Python 3.10 in setup.cfg classifier and zuul.yaml changes.
Reason for revert:
Needed-By: https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/882175
TC has been discussing about re-adding the python 3.8
testing in current master 2023.2 release testing.
- https://meetings.opendev.org/meetings/tc/2023/tc.2023-04-25-18.00.log.html#l-191
- https://lists.openstack.org/pipermail/openstack-discuss/2023-April/033469.html
While governance changes are under review, TC agreed to add py3.8 testing
so that we do not see more project/lib dropping python 3.8 and make them
uninstalable on python 3.8
- https://meetings.opendev.org/meetings/tc/2023/tc.2023-05-02-18.00.log.html#l-17
- https://review.opendev.org/c/openstack/governance/+/882165
Also adding py3.8 testing back in job https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/882175
Change-Id: I50a55442701be16bae3b7ae2035743b9f174dcfd
|
|
|
|
|
|
|
|
| |
Within 2023.2 python version 3.9 and 3.10 are the
supported python runtimes [1].
[1] https://review.opendev.org/c/openstack/governance/+/872232
Change-Id: I82682282703def588ce95b9b0067651ccf5ce924
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bug scenario:
- define deprecated rule in policy folder
- start a service
- enforce policies
- remove the rule in policy folder
- enforce policies
New default is applied to the rule,
but new and old defaults should be applied
(OR logic)
The patch fixes it.
Closes-Bug: 1977549
Change-Id: If11fe2da1163d6d3f16d133aeb207a055cf30de4
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add file to the reno documentation build to show release notes for
stable/2023.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.
Sem-Ver: feature
Change-Id: I279a3b56f331ad2dcafd624f0d8ea166713a58c5
|
|
|
|
|
|
| |
Related to https://lists.openstack.org/pipermail/openstack-discuss/2023-February/032247.html
Change-Id: Icf66914c2b5b6221e55595c01d018617b224c6ea
|
|
|
|
|
|
|
| |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: Ib11f5c8095c075170575ecaf635e6ce30bd3d789
|
|
|
|
|
|
|
|
|
|
|
| |
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for antelope.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: Ied1dbd4a6751b8a9bded9569eb5ea76e72d0b3f4
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: Ib8774b60b82602c4a22c622ebe623e348d0f1f2d
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generation of sample policy files was broken when exclude_deprecated was
added as an extra argument to the generate_sample function in
I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04. It was passed as the fourth
argument, which is actually include_help. Because it defaults to False,
this turned sample policy files into actual policy files.
Fix by using keyword arguments instead.
Change-Id: I5478b1c8e7fd2f1b01f63602998194bab3683f7c
Closes-Bug: #1975682
|
|
|
|
|
|
|
|
|
|
| |
In Zed cycle testing runtime, we are targetting to drop the
python 3.6/3.7 support, project started adding python 3.8 as minimum,
example nova:
- https://github.com/openstack/nova/blob/56b5aed08c6a3ed81b78dc216f0165ebfe3c3350/setup.cfg#L13
Change-Id: Icd143d8880666c1282e1e7821c108ab3e4de7813
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The '--exclude-deprecated' parameter should only be passed to
oslo.config to parse when it is True.
The final generated sphinx syntax is[1] where [--exclude-deprecated]
doesn't require True/False value and only should be passed when True.
The change introducing this[2] causes parsing issue in oslo.config[3]
while checking <bool>.startswith (we pass True/False value) and even
after that while calling argparse[4] with following error[5].
[1] usage: sphinx-build [-h] [--config-dir DIR] [--config-file PATH] [--exclude-deprecated] [--format FORMAT] [--namespace NAMESPACE]
[--noexclude-deprecated] [--output-file OUTPUT_FILE]
[2] https://review.opendev.org/c/openstack/oslo.policy/+/830514
[3] https://opendev.org/openstack/oslo.config/src/branch/master/oslo_config/cfg.py#L2937
[4] https://opendev.org/openstack/oslo.config/src/branch/master/oslo_config/cfg.py#L2960
[5] > /usr/lib/python3.8/argparse.py(1781)parse_args()
-> if argv:
(Pdb)
> /usr/lib/python3.8/argparse.py(1782)parse_args()
-> msg = _('unrecognized arguments: %s')
(Pdb)
> /usr/lib/python3.8/argparse.py(1783)parse_args()
-> self.error(msg % ' '.join(argv))
(Pdb)
TypeError: sequence item 0: expected str instance, bool found
> /usr/lib/python3.8/argparse.py(1783)parse_args()
-> self.error(msg % ' '.join(argv))
Handler <function generate_sample at 0x7fc0d6697d30> for event 'builder-inited' threw an exception (exception: sequence item 0: expected str instance, bool found)
Closes-Bug: #1970725
Change-Id: I95745b8d1cbdb6a7cf442d431a998b7e3ff600e4
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Deprecated rules can be confusing and downright unfriendly when
evaluating a generated sample output and seeing legacy rules being
aliased to new rules. Technically this is also invalid and results
in a broken sample file with overriding behavior.
Under normal circumstances, this wouldn't be a big deal, but with
the Secure RBAC effort, projects also performed some further
delineation of RBAC policies instead of performing a 1:1 mapping.
As a result of the policy enforcement model, a prior deprecated
rule was required, which meant the prior deprecated rule would
be reported multiple times in the output.
Since we don't have an extra flag in the policy-in-code definitions
of policies, all we can *really* do is both clarify the purpose
and meaning of the entry, not enable the alias by default in
sample output (as it is a sample! not an override of code!),
and provide projects as well as operators with a knob to
exclude deprecated policy inclusion into examples and sample
output.
Closes-Bug: #1945336
Change-Id: I6d02eb4d8f94323a806fab991ba2f1c3bbf71d04
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the Enforcer.enforce() method there is boolean parameter do_raise.
When it is set to False, enforce() method should return True/False as an
enforcement result and not raise exception. It works like that with
PolicyNotAuthorized exception but since some time this method can also
raise InvalidScope exception and in such case behaviour was different.
This patch changes that behaviour so InvalidScope exception will also
not be raised when do_raise=False.
Closes-bug: #1965315
Change-Id: I37fd682ffa9d6f4c69698e1be42adac28bbfe72a
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for zed.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: I9819bed88617605d40649bb5bdcf27723d48ea3a
|
|/
|
|
|
|
|
|
|
|
|
|
| |
Add file to the reno documentation build to show release notes for
stable/yoga.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/yoga.
Sem-Ver: feature
Change-Id: I35de33c2f540ceb76b0b12da5373545c15306f6d
|
|\ |
|
| |
| |
| |
| | |
Change-Id: I09de011b77b49801da2a70eebacfab1d10de32d3
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently set_defaults() is only able to set the default
value of policy_file config option. In future, for example
scope config option like enforce_scope also needs to be override
the default value per service (service ready with scope enable
can set it to True and for other services it will be False as default
in oslo.policy).
To allow override the other config option, let's expand the existing
set_defaults() method to do so.
Change-Id: I72120efb7c55aab82b765237904c9ae6e91f6b6f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Yoga testing runtime[1] has been updated to add py39
testing as voting. Unit tests update are handled by the
job template change in openstack-zuul-job
- https://review.opendev.org/c/openstack/openstack-zuul-jobs/+/820286
this commit updates the classifier in setup.cfg file.
[1] https://governance.openstack.org/tc/reference/runtimes/yoga.html
Change-Id: I977e8e5d1a4e4b4aeebf484cfb2fca28dec7b724
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously it was checked only for registered rules but not for
rules which are subclasses of the BaseCheck class.
Now it's checked for all rules which have scope_types set.
It's required for e.g. Neutron as it is creating Check objects based
on the defined policy rules to e.g. include in the check attributes
like network's provider parameters, etc.
Depends-On: https://review.opendev.org/c/openstack/neutron/+/815838
Depends-On: https://review.opendev.org/c/openstack/neutron/+/818725
Closes-Bug: #1923503
Change-Id: I55258c1f999c84220518d1fbbf5e1e514361cebe
|
|
|
|
|
|
|
|
|
| |
It seems that since some time that job is timing out. To fix that,
this patch sets timeout for the cross-neutron-tox-py38 job to
3600 seconds which is the same value as configured for unit tests
jobs in Neutron.
Change-Id: If360a366b7299e36c80adaefe5baf559a5c16bdd
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch moves code responsible for scope types enforcement
to the separate method which can be reused in different places,
like e.g. to enforce scope for instances of the BaseCheck class.
Related-Bug: #1923503
Change-Id: I6fd671728582b2f60939764075a8e2a977e78b58
|
|\ \
| |/ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Neutron, based on the defined policy rules is creating check
objects "in flight" to e.g. include check some object's attributes,
like e.g. network's provider parameters.
That use case requires that BaseCheck class and classes which inherits
from it needs to have scope_types defined thus Neutron can set it for
the Check based on the defined policy rule.
This patch adds scope_types attribute to the BaseCheck class to make it
available for use cases like described above.
Related-Bug: #1923503
Change-Id: Ibf30d0ffa5e9b125742089705d3557c02a03bc43
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If an user uses Enforcer without overwriting (Enforcer(overwrite=False))
we should not reset rules and only update loaded rules.
Enforcer without overwriting is a weird behavior, but it is supported at this moment.
Maybe it will be eliminated in future because it's misleading.
Operator cannot conclude what rules are loaded by simply looking in config files.
Change-Id: I2871407f8c7417a016415ccc166c1f37a9e17908
Closes-Bug: 1943584
|
|\ \ \
| |/ /
| | /
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Policy directory files can only add new rules or
update existing rules in cache, but cannot return back
loaded rules in memory to their default value.
This incorrect behavior was fixed in the patch.
Member "_loaded_files" of class Enforcer should keep
list of loaded policy config files paths.
In fact if the same file is changed many times
then the same file path is added many times.
If a file is deleted it's path not deleted from "_loaded_files".
The member is very misleading and is not used in code.
So this member was deleted in the patch because of
above mentioned resons.
Change-Id: I9ede38d8cf2ae968d3d8c0b1240bd6a51e6aa931
Closes-Bug: 1943584
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for yoga.
See also the PTI in governance [1].
[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html
Change-Id: I8b701dc843a96178cf3028d10c36af977b38739b
|
|\ \ \
| |/ / |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add file to the reno documentation build to show release notes for
stable/xena.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.
Sem-Ver: feature
Change-Id: I90013a56029ff70d0112b56efd32c1d0a5a6f0e0
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
An earlier patch[1] added a mapping for context 'system_scope'
to 'system' when enforce was called with a RequestContext
object. However, enforce can also be called with a creds dictionary
that may contain the context 'system_scope' element. When this
occured, 'system_scope' was not mapped to 'system' and the enforce
would fail with an InvalidScope exception.
This patch moves the 'system_scope' mapping from only occuring
with RequestContext objects to also map it when a creds dictonary
is passed to enforce.
[1] https://review.opendev.org/c/openstack/oslo.policy/+/578995
Change-Id: I83a22c3f825bad0c88018118f8630a20a445965e
|
| |/
|/|
| |
| |
| |
| |
| |
| | |
The help text isn't clear what happens when enforce_new_defaults is
False, which is the default behavior. Explicity call that out in the
help text since it's important for users to understand that behavior.
Change-Id: Iaed5682bc72f4c66adb9a40c6510b399314574df
|
| |
| |
| |
| |
| |
| |
| | |
This patch changes 'oslopolicy-policy-generator' to
'oslopolicy-checker' in oslopolicy-checker.rst.
Change-Id: I73621ced00404d164fdb23f077ee36fbb6faf717
|
|/
|
|
|
|
|
|
| |
The patch bumps min version of tox to 3.18.0 in order to
replace tox's whitelist_externals by allowlist_externals option:
https://github.com/tox-dev/tox/blob/master/docs/changelog.rst#v3180-2020-07-23
Change-Id: I28abab34878d3c62a88be8894107f994d02c1c4f
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
inspect.getargspec() is deprecated since py3
[1] https://docs.python.org/3/library/inspect.html#inspect.getargspec
Change-Id: If7492d7f755c80687f867428d80e4efb1e1a5d57
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Setuptools v54.1.0 introduces a warning that the use of dash-separated
options in 'setup.cfg' will not be supported in a future version [1].
Get ahead of the issue by replacing the dashes with underscores. Without
this, we see 'UserWarning' messages like the following on new enough
versions of setuptools:
UserWarning: Usage of dash-separated 'description-file' will not be
supported in future versions. Please use the underscore name
'description_file' instead
[1] https://github.com/pypa/setuptools/commit/a2e9ae4cb
Change-Id: I58b9521882d81ab508bb7ce28308d88771daf1fe
|
|
|
|
| |
Change-Id: I8162d5c413de6a73614443fdcd30ee472cb81035
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We facing errors related to the new pip resolver, this
topic was discussed on the ML and QA team proposed to
to test lower-constraints [1].
I propose to drop this test because the complexity and recurring pain needed
to maintain that now exceeds the benefits provided by this mechanismes.
[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019390.html
Change-Id: Ifcaf6993517d02bf54cd144efd247832947a009f
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We have many if else condition to pick the
right policy filebut there is no debugging log
to have useful info to know if expected policy file
is not picked.
Change-Id: I507c58a6dca06d0cc6f306bcd063c700c18cc5f7
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Moving on py3 as the default runtime for tox to avoid to update this at
each new cycle.
Wallaby support officially the following runtimes [1]:
- Python 3.6
- Python 3.8
During Victoria Python 3.7 was used as the default runtime [2] however this
version isn't longer officially supported.
[1] https://governance.openstack.org/tc/reference/runtimes/wallaby.html#python-runtimes-for-wallaby
[2] https://governance.openstack.org/tc/reference/runtimes/victoria.html#python-runtimes-for-victoria
Change-Id: I4a244fc6f2d0d614d579fb944255be728fee1d61
|
|\ \ \ |
|